Will my bank really report a one-day, one-dollar overdraft to the state bar?

Yes. Every state with an IOLTA program requires participating banks to report any overdraft on a trust account directly to the state bar — no minimum amount, no grace period. The bank's report goes out automatically, often before you even see the NSF notice on your end.

How far back will an audit go?

Most reviews look at 12 to 36 months of records, but examiners can ask for more if they find issues. State retention rules typically require you to keep IOLTA records for at least seven years, so plan around the longer window.

I got a records request — am I being audited?

A records request is the start of a review, but it doesn't always escalate to a full audit. If your records are clean and you respond promptly, many reviews close at the records-request stage. If gaps or violations show up, the review widens.

How long do I have to respond to an audit notice?

It depends on the state and the type of notice, but most overdraft response letters give you 14 to 30 days to produce the requested records. Don't wait — ask for an extension early if you need one. Silence is treated as noncooperation and makes things worse.

Can I be audited if I've never had a complaint or an overdraft?

Yes — that's the change. In states with random audit programs (California's CTAPP, North Carolina's geography-based program), every attorney holding a trust account is in the pool, regardless of history. Other states are watching both programs and considering their own.

Should I tell my malpractice carrier if I receive an audit notice?

Most carriers want to know. Many policies require notice of any disciplinary inquiry, and your carrier can often refer you to ethics counsel who specialize in trust account responses. Read your policy and call your carrier's claims line if you're unsure.

Will my bank really report a one-day, one-dollar overdraft to the state bar?

Yes. Every state with an IOLTA program requires participating banks to report any overdraft on a trust account directly to the state bar — no minimum amount, no grace period. The bank's report goes out automatically, often before you even see the NSF notice on your end.

How far back will an audit go?

Most reviews look at 12 to 36 months of records, but examiners can ask for more if they find issues. State retention rules typically require you to keep IOLTA records for at least seven years, so plan around the longer window.

I got a records request — am I being audited?

A records request is the start of a review, but it doesn't always escalate to a full audit. If your records are clean and you respond promptly, many reviews close at the records-request stage. If gaps or violations show up, the review widens.

How long do I have to respond to an audit notice?

It depends on the state and the type of notice, but most overdraft response letters give you 14 to 30 days to produce the requested records. Don't wait — ask for an extension early if you need one. Silence is treated as noncooperation and makes things worse.

Can I be audited if I've never had a complaint or an overdraft?

Yes — that's the change. In states with random audit programs (California's CTAPP, North Carolina's geography-based program), every attorney holding a trust account is in the pool, regardless of history. Other states are watching both programs and considering their own.

Should I tell my malpractice carrier if I receive an audit notice?

Most carriers want to know. Many policies require notice of any disciplinary inquiry, and your carrier can often refer you to ethics counsel who specialize in trust account responses. Read your policy and call your carrier's claims line if you're unsure.

Back to Resources

BlogIOLTACompliance·8 min read

What Triggers a State Bar Trust Account Audit?

For years, trust account audits were rare. That era is over. Here's what triggers a review, what auditors actually look at, and how to be ready before the letter arrives.

Disbo Team

Published April 23, 2026

Quick Answer

Four things trigger almost every state bar trust account review: an overdraft your bank reports automatically, a client complaint involving money, late or missing CTAPP-style reporting, and — newest — random selection. Once a review opens, examiners typically request 12–36 months of bank statements, ledgers, and three-way reconciliations. The firms that come through cleanly are the ones who reconciled monthly, kept a ledger per matter, and treated compliance as an always-on system instead of a once-a-quarter scramble.

For years, trust account audits were rare events. Unless a client filed a complaint or your bank reported an overdraft, you could practice for a decade without the state bar ever looking at your IOLTA.

That era is over.

California's Client Trust Account Protection Program (CTAPP) began random compliance reviews on September 29, 2025. North Carolina reportedly launched its own geography-based random audit program on January 15, 2026. Other states are watching both, and attorney ethics committees across the country are openly discussing whether random audits should become standard.

If you run a PI firm, you need to understand what triggers a review — and what reviewers actually look at when they arrive.

The Four Categories of Audit Triggers

Trust account audits almost always start with one of four things.

1. Overdrafts

This is the number one trigger, full stop.

Every state has a rule requiring banks holding IOLTA accounts to report any overdraft — even a one-day, one-dollar overdraft caused by a check clearing before a deposit posts — directly to the state bar. You don't get to explain it first. The bar finds out before you do.

When the bar gets an overdraft notice, you almost always get a letter. That letter triggers, at minimum, a records request. At worst, a full audit.

The painful part: overdrafts usually aren't caused by fraud. They're caused by timing. A check clears Tuesday, the wire arrives Wednesday, and the bank charges you an NSF fee on Tuesday night. That one-day overdraft is a reportable event.

2. Client Complaints

Any complaint involving money — a client says you held their funds too long, miscalculated the fee, didn't provide a statement, or can't account for a deposit — almost always widens into a trust account review. The bar isn't going to investigate just one transaction; if they're already looking at your books, they're looking at all of them.

3. Late or Missing Reporting

States with formal reporting regimes (California CTAPP is the highest-profile example) require attorneys to submit periodic certifications. Miss a deadline, submit an incomplete report, or flag yourself as noncompliant, and you move to the top of the audit queue.

California attorneys who failed to file their first CTAPP report in 2025 faced automatic review. The bar has indicated that unreported IOLTA accounts — accounts the bar discovered through bank data but that the attorney never disclosed — are being aggressively flagged.

4. Random Selection

This is the new category. In states that have adopted random audit programs, every attorney holding a trust account is potentially subject to review, regardless of whether they've ever had a complaint or an overdraft.

California's CTAPP draws random attorneys each cycle. North Carolina's program is reportedly geography-based — selecting all attorneys within a designated region for review in a given window. The first waves of data have been striking: in California's initial CTAPP reviews, 83% of audited firms had noncompliant three-way reconciliations, 89% had noncompliant client ledgers, and 83% had noncompliant trust account journals.

Translation: if you get selected randomly, the statistical expectation is that the auditor will find something.

What Auditors Actually Look At

When a review starts, the bar typically requests a defined set of records for a specific window — usually the most recent 12 to 36 months. Expect to produce:

•Bank statements for every IOLTA and non-IOLTA trust account
•Cancelled checks and wire records (front and back, where applicable)
•Deposit slips
•The general ledger / account journal for each trust account
•Individual client ledgers for every matter that touched the account during the review period
•Monthly three-way reconciliation reports
•Any engagement letters, settlement statements, or fee agreements tied to flagged transactions

The examiner is checking whether every dollar that went in is accounted for, every dollar that went out is documented and authorized, and whether the three-way reconciliation was performed and matched every month.

The Reconciliation Problem That Gets Most Firms

Here's the pattern that keeps showing up in CTAPP results and that will define the next wave of enforcement: firms do reconciliations, but they don't do them correctly.

Common failures:

•Reconciling bank balance to book balance but not to client ledger totals (two-way, not three-way)
•Reconciling only quarterly when the state requires monthly
•"Plugging" discrepancies with adjusting entries rather than investigating them
•Missing or incomplete client ledgers — you can't reconcile to ledgers that don't exist
•Reconciling on paper with no supporting documentation preserved

An examiner reading 36 months of "plugged" reconciliations is looking at a finding. Even if no money is missing, the documentation failure alone is a violation.

Costs Beyond the Fine

The direct penalties matter — individual violations in California can carry fines in the thousands, and severe cases can lead to suspension or disbarment — but the indirect costs often hurt more.

•CPA forensic fees: When the bar escalates, you often need a certified trust accountant to reconstruct your records. Disbo's own research puts these engagements at $5,000 to $15,000 per review.
•Lost billable time: Responding to a records request takes days of partner and paralegal time.
•Referral impact: Other attorneys read disciplinary actions. A public finding can chill your referral network for years.

What to Do Before a Notice Arrives

If you're reading this and you haven't had an audit yet, treat that as your window.

•Reconcile three ways, every month. Bank balance, book balance, client ledger totals — all three must match. If they don't, investigate on the day you find it, not at the end of the quarter.
•Keep separate client ledgers for every matter, even pass-through ones.
•Document every disbursement with who authorized it, what matter it's tied to, and what it represents.
•Preserve records for the longer of seven years or your state's retention rule.
•Test-run an audit. Pick a 12-month window and see if you can produce every record an examiner would request, in digital form, in under an hour.
•Fix the root cause, not the symptom. If your reconciliations are late because the process is manual, the fix is automation, not a bigger spreadsheet.

How Technology Changes the Risk

The reason audit failures are so common isn't that attorneys don't care — it's that the workflow was designed for checks, carbon copies, and monthly bank statements. Manual reconciliation is genuinely error-prone, and errors compound over time.

Modern disbursement platforms produce the three-way reconciliation as a byproduct of doing the work. Every payment leaves a matter-aware, timestamped, audit-ready record. When the notice from the bar arrives, you export it.

Disbo was built specifically for PI firms navigating CTAPP and the next wave of state audit programs. But whether you use Disbo, a competitor, or your own internal system, the point is the same: the firms that make it through this audit era cleanly will be the ones who stopped treating compliance as a monthly task and started treating it as an always-on system.

Related reading: What is IOLTA? A plain-English guide for new PI attorneys.

This post is general educational content, not legal advice. Consult your state bar's published rules and a qualified ethics attorney for decisions specific to your practice.